lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 20 Sep 2010 21:45:29 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerable 3rd-party DLLs used in TrendMicro's malware scanner HouseCall

Trend Micro <http://www.trendmicro.com/> / <http://www.antivirus.com/>
offer a free malware cleanup tool named "HouseCall 7.1" for Windows:
<http://housecall.trendmicro.com/>
<http://go.trendmicro.com/housecall7/HousecallLauncher.exe>
<http://go.trendmicro.com/housecall7/HousecallLauncher64.exe>


Versions of this "security" product before the current build 1078
from 2010-08-30, published 2010-09-06 (according to HTTP timestamp),
came with outdated and vulnerable OpenSource components:

1. libcurl.dll: version 7.19.0 from 2008-09-01

   updated 10 times since, at least 3 times due to vulnerabilities;
   see <http://curl.haxx.se/> and
   <http://curl.haxx.se/docs/security.html>
   

2. ssleay32.dll and libeay32.dll: version 0.9.8i from 15.2008-09-15

   updated 5 times since due to vulnerabilities; see
   <http://openssl.org/news/> and
   <http://openssl.org/news/vulnerabilities.html>


3. bzip2.exe: version 1.0.2

   gets downloaded upon start, updated 3 times since then due to
   vulnerabilities; see <http://www.bzip.org/downloads.html>


Users who downloaded this "security" product before 2010-09-07 should
get a new copy ASAP!


Stefan Kanthak



Timeline:

2010-07-08: informed vendor support

            no reaction

2010-07-15: informed vendor sales department

2010-07-16: reply from vendor: will forward to product manager

2010-07-21: reply from vendor: service engineering team now in charge

2010-08-26: sent status request to vendor

2010-08-26: reply from vendor: will request status from product manager

            no more reaction

2010-09-06: silently fixed

2010-09-16: report published

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ